MineWebCMS icon indicating copy to clipboard operation
MineWebCMS copied to clipboard
verified publisher icon MineWeb

[BUG] Found Xss Stored vuln in Administration page

Open GrayR0ot opened this issue 5 years ago • 6 comments

Describe the bug | Décrivez le bug

Edit members from admin panel allow us using Xss Stored vulnerability

To Reproduce | Pour reproduire le bug

Steps to reproduce the behavior: | Étapes pour reproduire le bug :

  1. Go to Membres -> Edit any

  2. Set the user name to

  3. Then save

It allow us using Stored Xss vulnerability. Which would allow us stoling visitors cookies and more other fun facts

GrayR0ot avatar Jan 13 '21 11:01 GrayR0ot

Indeed no page of the admin panel is protected against XSS, it should be but we felt that if you have access to the admin panel you are someone you can trust

nivcoo avatar Jan 13 '21 11:01 nivcoo

For the cookies, if you have access to the file you can also do anything with cookies and customer information

nivcoo avatar Jan 13 '21 11:01 nivcoo

I just successfully hijacked a customer Dashboard but if you think it's normal letting this kind of vulnerability this is your choice.

GrayR0ot avatar Jan 13 '21 12:01 GrayR0ot

It's not really a choice, but yes it would be nice to take 2-3 hours to make the necessary changes

nivcoo avatar Jan 13 '21 12:01 nivcoo

We will add protection for the XSS on panel admin in no time :p

nivcoo avatar Aug 28 '21 22:08 nivcoo

It's good

StanByes avatar Mar 29 '22 17:03 StanByes